Observables
- UpdatedJul 31, 2025
- 2 minutes to read
Observables represent stateful properties (such as the MD5 hash of a file or the value of a registry key) or measurable events (such as the creation of a registry key or the deletion of a file) that are pertinent to the operation of computers and networks.
- Artifact
- AS Number
- Directory
- Domain Name
- Email Address
- Email Message
- Email Subject
- File
- IPv4 Address
- IPv4 CIDR
- IPv6 Address
- IPv6 CIDR
- MAC Address
- MD5 Hash
- Mutex Name
- Network
- Other Observable
- Process
- SHA1 Hash
- SHA256 Hash
- SHA512 Hash
- Software
- URL
- User Account
- Windows Registry Key
- X.509 Certificate
Related Content
- Indicators
Indicators are artifacts observed on a network or operating system that are likely to indicate an intrusion. Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs, or domain names.
- Attack Patterns
Attack patterns are a type of Tactics, Techniques, and Procedures (TTPs) that describe the methods that adversaries attempt to compromise targets.
- Campaign
Campaign is defined as grouping of adversarial behaviors that describes a set of malicious activities or attacks, sometimes called waves that occur over a period of time against a specific set of targets.
- Courses of Action
Courses of action is an action taken either to prevent an attack or to respond to an attack that is in progress.
- Identity
Identities represent actual individuals, organizations or groups, and classes of individuals, systems, or groups. Identities apply for STIX 2.x.
- Infrastructure
The Infrastructure SDO represents a type of Tactics, Techniques, and Procedures (TTPs). They describe any systems, software services, and any associated physical or virtual resources intended to support some purpose of an attack. Infrastructure applies for STIX 2.x.
- Intrusion Set
An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties. An Intrusion Set usually involves a single organization. Intrusion set applies for STIX 2.x.
- Location
A Location represents a geographic location. Locations are primarily used to give context to other SDOs. Locations apply for STIX 2.x.
- Malware
Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. Malware applies for STIX 2.x.
- Malware Analysis
Malware Analysis captures the metadata and results of a malware. Malware analysis applies for STIX 2.x.
- Object Sighting
Sightings denote that an object was seen. Objects may be a malware, tool, threat actor, and so on.
- Observed Data
Observed Data conveys information about cyber security-related entities such as files, systems, and networks using the STIX Cyber-observable Objects (SCOs). Observed data applies for STIX 2.x.
- Threat Actor
Threat Actors are individuals, groups, or organizations who act with malicious intent. Threat actors applies for STIX 2.x.
- Threat Event
An event or situation that has the potential for causing undesirable consequences or impact.
- Threat Grouping
A Threat Groupings object explicitly asserts that the referenced STIX Objects have a shared context. Threat groupings applies for STIX 2.x.
- Threat Note
A Threat Note conveys informative text to provide additional analysis not contained in the STIX Objects, Marking Definition objects, or Language Content objects which the Note relates to. Threat notes applies for STIX 2.x.
- Threat Opinion
An Opinion is an assessment of the accuracy of the information in a STIX Object produced by a different entity. Threat opinions apply for STIX 2.x.
- Threat Report
Threat Reports are collections of threat intelligence focused on one or more topics. Threat reports apply for STIX 2.x.
- Tool
Tools are legitimate software that are used by threat actors to perform attacks. Tools apply for STIX 2.x.
- Vulnerability
A Vulnerability is a weakness or defect in a software or hardware component that attackers exploit. Vulnerabilities apply for STIX 2.x.
- Marking Definition
The marking-definition object represents a specific marking. Data markings typically represent handling or sharing requirements for data.
- Data Component
Data components are used to identify specific properties or values of a data source.
- Data Sources
Data sources represent the various subjects/topics of information that can be collected by sensors/logs. Data sources also include data components, which identify specific properties/values of a data source.
- Define RSS Feeds
A threat intelligence feed is a real time, continuous data stream that gathers information related to cyber risks or threats. RSS Feeds provides an easy way to stay up to date with your favorite websites, such as blogs or latest cyber security news.
- Relationships Objects
Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
- Potential Relationships
The application uses automated correlation to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO.
- Working with Reports in TISC
The Reports module in the Threat Intelligence Library section enables you to create, manage, and publish reports that use any intelligence available in the Threat Intelligence Library.